Hospitals Must Develop IT Security Plans To Avoid Target’s Fate

Planning is an important part of any successful business. But too often, managing IT security becomes an afterthought. Only after a security breach do managers scurry to shut the barn door. Target Corporation is one of the latest (and most extreme) examples. The retailer lost the confidence of millions of customers after revealing that hackers had stolen data from 40 million credit cards.  To win customers back, Target offered 10% off everything in the store on the final weekend before Christmas. But that did little to relieve the hassle millions will face this year reversing fraudulent charges and other financial harm.

Now imagine a similar scenario not in the retail industry, but in healthcare. Instead of a credit card number that can easily be changed, sensitive identification and health information gets exposed.  In some cases, such a breach may simply result in the embarrassment of showing how many plastic surgeries you really had. But in others it could result in social stigma or lead to financial or medical fraud. Worse yet, stolen medical identities can also be used to committee medical identity theft where individuals assume the victim’s identity to receive medical treatment resulting in potentially life-threatening changes to medical records. Individuals who have experienced such theft have spent years trying to correct their medical records.

By the close of 2013, over 200 breaches affecting nearly 6.5 million Americans were reported to the US Department of Health and Human Services. And many analysts believe 2014 will be even worse. As the Affordable Care Act drives more digital activity, new threats will emerge that will likely result in additional breaches. It is time for healthcare executives to make a security plan for 2014 and avoid becoming a security breach headline like Target.

In a research article that went to press in December, my co-authors and I show just how important planning is. Examining data from 243 hospitals, we find that while compliance with state and federal IT security mandates like HIPAA helps the worst hospitals protect patient information better, organizations that maintain and regularly update a security plan get far more from their security investments. We define these organizations as “operationally mature.” These strategic plans — along with periodic reviews — enable organizations to learn of potential new risks and evaluate their own security posture. As a consequence, organizations’ security resources are better targeted to address their specific needs and the environments in which they operate.

Our results show that the impact of security investments varies depending on the operational maturity of the organization. In operationally immature organizations, compliance significantly improves actual security while surprisingly it does not have any impact in operationally mature organizations. Furthermore, our findings suggest that operationally mature organizations are more likely to be motivated by breach occurrences than by compliance with federal and state security standards. By contrast, operationally immature organizations are more likely to be motivated by standards compliance than actual security. We conclude that security resources appear to be more strategically planned and executed in operationally mature organizations. This results in complementary effects that improve overall security performance.

While striving for compliance helps maintain security to a certain degree, this checklist mentality may prevent operationally immature organizations from developing more comprehensive and sustainable capabilities needed for meaningful improvements in the day-to-day handling of patient data. Compare that to operationally mature hospitals, which are motivated by actually protecting their patient data rather than fulfilling minimal regulatory requirements.

Based on our analysis, we argue that policymakers should focus on providing guidelines designed to help healthcare organizations achieve operational maturity regarding IT security rather than simply imposing single-solution compliance requirements. Similar to teaching a person to fish, regulations should encourage organizations to actively develop and maintain their own action plans rather than providing check-box requirement lists.